MCP integration lacks per-message authentication and integrity verification #4840
Description
Summary
ADK's MCP integration enables agents to call tools via the Model Context Protocol, but MCP itself provides no cryptographic identity or message integrity layer. There is no mechanism to verify which agent issued a request, whether a tool definition has been tampered with, or whether a message is a replay.
This is a protocol-level gap that affects all MCP adopters.
The gap
- No agent identity: Any client connecting over MCP can call any tool. There is no passport or certificate mechanism.
- No message signing: JSON-RPC messages are sent unsigned. Parameters can be modified in transit.
- No tool integrity: Tool definitions (
tools/list) are not signed by their author. Tool poisoning (OWASP MCP03) allows an attacker to modify tool descriptions to change agent behavior. - No replay protection: The same message can be replayed indefinitely. No nonce, no timestamp window.
OWASP has published an MCP Top 10 covering these risks. CVEs with CVSS 9.6 have been filed against MCP implementations.
Existing work
An IETF Internet-Draft has been published to address this:
- IETF Datatracker: https://datatracker.ietf.org/doc/draft-sharif-mcps-secure-mcp/
- Reference implementations: npm / PyPI (zero dependencies)
- Interactive demo: https://agentsign.dev/playground
The spec adds agent passports (ECDSA P-256), per-message signing, tool definition signatures, and nonce-based replay protection as an envelope around existing JSON-RPC -- fully backward-compatible with current MCP.
Happy to discuss technical details or integration approaches.